No time to read? Listen here?

The Israel-Iran conflict has unfolded not only on the battlefield, but also in cyberspace. Within just one week of Israel launching Operation Rising Lion to counter Iran’s nuclear ambitions, researchers saw a staggering 700% surge in cyberattacks targeting Israeli entities. These attacks were fueled by a mix of state-sponsored actors and ideologically driven hacktivist groups.

New LinkWhile cyber hostilities between these nations are nothing new, this most recent escalation mirrors the intensity of the military campaign. Targeted sectors, including government, defense, critical infrastructure, financial services, and transportation, have been hit with phishing campaigns, website defacement, DDoS attacks, and malware deployments, all designed to disrupt operations and gather intelligence.

And despite the ceasefire on the ground, the cyber war continues. KELA has been closely tracking cyber threat actors over the past two years. Understanding the scope, tactics, and impact of these threats is critical for preparing for what may come next. Here’s a look at some of the developments we’ve seen. 

Spikes in Claims, but Not in Sophistication 

While KELA observed a surge in hacktivist claims during this period, many lacked clear evidence and were often exaggerated. Overall, the attacks remained largely unsophisticated, primarily involving DDoS campaigns and website defacements. While Israel was the primary focus, allied nations also found themselves in the crosshairs.

Some of these activities appear to be symbolic, intended to show solidarity rather than cause real damage. However, others had a more tangible impact. 

Hacktivist Chaos: Bold Claims, Blurred Lines

Groups like Handala Hack Team, Cyber Islamic Resistance, and Mysterious Team Bangladesh have flooded Telegram channels and the darknet with bold claims of massive data thefts, DDoS attacks, and sabotage. Many assertions, such as exfiltrating terabytes from Israeli defense firms or breaching international organizations, remain unverified or inflated. Yet the psychological and propaganda effects are undeniable, especially when layered with partial truths.

KELA emphasizes the critical need to distinguish between real damage and strategic posturing, as many state-linked operations are disguised behind hacktivist fronts to maintain plausible deniability. This fusion of activism and espionage makes attribution murky and threat response even more complex.

Low-Tech, High Volume: The DDoS and Defacement Playbook

The most common tactics observed are relatively unsophisticated DDoS attacks, website defacements, and shallow intrusions. These methods may lack technical depth but still cause operational and reputational headaches. For example, groups like Arabian Ghosts, Mr Hamza, Lulzsec Black, and the DarkStorm Team claimed takedowns of government, transportation, and financial platforms, often with minimal evidence or targeting errors (e.g., attacking a travel portal instead of Israel Railways).

Despite limited sophistication, the volume and persistence of these campaigns, especially when they swarm during geopolitical events, can overwhelm underprepared systems. KELA also notes that entities beyond Israel, including U.S., European, and Arab organizations, have been named in threat campaigns, showing how cyber retaliation often spills across borders.

Disinformation and Digital Smokescreens

The cyber battle isn’t just about system disruption; it’s also about shaping perception. KELA has tracked an uptick in disinformation campaigns, phishing attacks, and coordinated leaks designed to erode trust and amplify chaos. Groups like EvilByte and RootSec have published alleged credentials from Mossad personnel and law enforcement; Predatory Sparrow reportedly leaked Iranian state documents and breached Nobitex’s crypto infrastructure.

Meanwhile, anonymous actors hijacked Iranian state TV to broadcast anti-regime protest content, a symbolic win for psychological ops. On the flip side, pro-Iranian narratives suggest U.S. and Israeli collusion, adding geopolitical intrigue to already volatile information warfare. In this noisy landscape, verification is vital. KELA warns against overreacting to inflated or falsified claims, as doing so may feed the very disruption adversaries seek to create.

Despite Ceasefire, the Cyber War Continues

Even after military ceasefire agreements, the digital front remains hot. Between June 22–24, pro-Palestinian groups launched coordinated cyber offensives across multiple sectors. Dark Storm Team claimed DDoS attacks that disrupted access to major Israeli institutions including Mercantile Bank, Union Bank of Israel, BNP Paribas’ Israeli branch, the Central Elections Committee, and national portals like the Israel Export Institute and Tehila. Simultaneously, Gaza Children’s Group and Cyber Isnaad Front targeted Gilat Satellite Networks, alleging disruptions to military communications infrastructure (claims still unverified by KELA).

Beyond Israel, hacktivist groups escalated their activities globally. Mysterious Team Bangladesh and LulzSec Black broadened their scope to U.S., European, and Arab targets, with LulzSec Black issuing a manifesto threatening nations like the UAE and hinting at future operations against Argentina. 

Meanwhile, following U.S. airstrikes on Iranian nuclear sites, Iranian-linked groups like CyberAv3ngers are expected to intensify cyber operations against U.S. entities, with the Department of Homeland Security warning of a “heightened threat environment.” Past deployments of malware such as IOCONTROL suggest that espionage, phishing, and OT/IoT targeting could be in play. In a telling social media post, the hacktivist collective Anonymous accused Russia of facilitating U.S. strikes, reflecting how cyber narratives are becoming entangled with geopolitical propaganda.

What’s at Stake

This wave of cyber hostilities is not just a side story; it represents a dangerous convergence of digital warfare, propaganda, and geopolitical tension. Organizations in Israel and its allied nations must now defend against both loud hacktivist campaigns and stealthier state-sponsored intrusions. The risks extend beyond operational disruption, impacting public trust, diplomatic relationships, and critical infrastructure integrity.

Recently, KELA hosted a webinar, "Iran, Cyber, and the Darknet: What We've Seen So Far and What's to Come" that further broke down the actors, motivations, and mitigation strategies in the unfolding cyberwarfare landscape. Check out the recording on-demand.